We have a lot of jenkins jobs set up as webhook endpoints using Generic Webhook Trigger.
It's mostly working fine. With the token, it's able to find the specific Jenkins job to run for each webhook event.
However occasionally we hit a 404 error with below error message:
{"jobs":null,"message":"Did not find any jobs with GenericTrigger configured! If you are using a
token, you need to pass it like ...trigger/invoke?token=TOKENHERE. If you are not using a token,
you need to authenticate like http://user:passsword#jenkins/generic-webhook... "}
Wondering if there is any reason for this behavior? Is it because of how Generic Webhook Trigger's tokens are mapped, maybe it's getting reset once in a while due to some events? We are hitting a scalability bottleneck due to this issue and would love some insights. Thanks ahead!
Related
I am using the Generic Webhook Trigger plugin with a Bitbucket repo. The trigger using token is as follows:
http://jenkins_url/generic-webhook-trigger/invoke?token=SOME_TOKEN
I thought using Token Credential would solve it. Turned out not to be the case. It is just like the regular token. What I don't get is why there is no security measure implemented here. Anyone with that link can trigger as they will. Is this something that can't be fixed?
When a specified HTTP POST request is received, the Jenkins Generic Webhook Trigger plugin enables you to start a Jenkins build. The plugin does not by default have any security safeguards for the request's authorization or authentication. This implies that any HTTP POST request made to the specified URL will start a Jenkins build.
You can use one of the following methods to secure your Jenkins webhook:
Use a secure connection: To send Jenkins the HTTP POST request, use a secure connection (such HTTPS). This will lessen the chance that the request will be intercepted or altered while in transit.
Authentication can be added; you can set the plugin up to demand it for incoming HTTP POST requests. Setting the "Authentication Token" field in the plugin setup will accomplish this. The authentication token must be included in the HTTP POST request as a header or query parameter in order to use this feature.
Utilize a webhook secret to increase the security of your Jenkins webhook. In order to use this functionality, you must configure a secret in the plugin's setup and include the secret as a header or query parameter in the HTTP POST request.
Use a reverse proxy: You can use a reverse proxy to increase the security of your Jenkins webhook by adding authentication, encryption, and rate limitation.
Remember that adding security safeguards to your Jenkins webhook can help prevent misuse and illegal access, but it will also make your setup more difficult. It's crucial to thoroughly assess your system's security requirements and pick the proper safeguards for your Jenkins instance.
I'm trying to trigger a job from one Jenkins (A) on another one (B). I've installed 2 plugins:
Parameterized Remote Trigger
Build Token Root
My issue is, that I'm able to trigger build on Jenkins (B) using for example curl and token only, which means the Build Token Root plugin is working as expected, but Parameterized Remote Trigger seems to don't respect this.
I probably should mention that I've tried different auth options, Trust All certs, etc.
My Jenkins (A) config:
Logs are the same with and without Build Token Root support enabled.
Logs I'm getting:
I was able to get this working by allowing Anonymous users Overall Read and Job Read access. It appears this is necessary because the Parameterized Remote Trigger plugin attempts to call additional APIs apart from just the /build and /buildWithParameters and those calls are the ones that fail.
It makes sense that, in order to have the default blocking capability, you need to call additional APIs to poll, but even setting blockBuildUntilComplete : false did not fix the issue. Considering that Parameterized Remote Trigger plugin plainly says it "plays well" with the Build Token plugin in its documentation, it really is not an easy feat to make them work together.
In my opinion, using the two together isn't an ideal solution because of the necessity for allowing unauthenticated users to browse your jenkins instance via the ui - I suspect you could (although I haven't tried it) get an API Token for a user with only Overall Read and Job Read access instead of giving all Anonymous Users the rights, but this includes the overhead of managing a user and an API Token, which defeats our primary motivation to use the Build Token plugin in the first place.
So I have implemented the Asana Webhooks API as described in their documents. I can pass it a project ID and request a new webhook be created. The API successfully sends a authentication request to my application which returns the Security header as described in the Docs. Asana then returns the expected success response, outlining the newly created Webhooks unique ID.
Now if i take this ID and then query the Asana API to show me all configured webhook's on either the parent Workspace or the project resource directly it returns an empty data JSON Object or reports the resource doesn't exist, suggesting the Webhook Ive just created wasn't actually created, despite giving me the expected success response.
Also If I then make a change to a project it doesn't fire the webhook and I don't receive any events on my application.
Strangely everything was working on Friday but today (Monday) I'm experiencing these issues.
Any pointers would be good, Ive been working as the Docs suggest in terms of my request structure and am authenticating using a PAT, Ive even tried a newly created token.
Thanks,
Our webhooks use the handshake mechanism to make sure that it's possible to call you back, but there's always the possibility that subsequent requests can fail. Additionally (although we don't document this very well - there's an opportunity for us) we should immediately try to deliver a (probably) empty event after the handshake (it looks like {"events":[]}. This is kind of like a "second callback" that contains anything that has changed since you created the webhook.
If this fails - or if any subsequent request fails often enough - the webhook will get trashed. "Failure" in this context means returns HTTP response codes other that 200 or 204.
As for why you're having trouble querying the webhook itself, I wasn't able to repro the issue, so we'd have to dive deeper. It should be fine if you:
Specify the workspace
Optionally specify the resource
I tested this out, and it seemed fine. You also might want to directly query the webhook by id with the /webhooks/:id endpoint - note to use the id of the webhook returned by create, and not the id in the resource field.
If you created the webhook (specifically, your PAT or OAuth app was the one making the create request) you should see the information just fine. If you can get the webhook by id, you should see last_failure_at and last_failure_content fields which would tell you why the webhook was unable to make the delivery.
Finally, if you would like to contact us at api-support#asana.com and let them know more details (for instance, the ID of the webhook you're trying to look at) we can look at those fields from our side to see if we can identify what's going on.
Travis builds are failing randomly due to problems like connection timeout, authentication failure etc.
Any idea why is it happening ? How it can be fixed?
Check this build, two of the jobs passed while other two failed.
Here in this build , all the jobs failed.
Here is my composer.json, if it can give any clue.
The problem is caused by limits on GitHub API usage. Travis adds own authentication token, but in case there are many projects building, the limit of 5000 API requests in hour is easily reached.
One way to fix that is to generate own read only GitHub token and use it, this way you will get your own limit of 5000 API requests per hour, what should be enough.
To change used token, use:
composer config --global github-oauth.github.com "$GITHUB_TOKEN"
We have two jira installations at our company. One that we use for our projects and a second one for testing purposes.
I'm working in a project that needs to use the JIRA REST API. For this purpose I'm connecting to our testing instance.
The problem is that while trying out the REST API, I keep getting 400 errors without a single explanation of what went wrong. I just get an HTML with
Your browser sent a request that this server could not understand
I was a bit desperate and decided to try it into our real JIRA. To my surpirse the same request gave me a different response:
{"errorMessages":[],"errors":{"project":"project is required"}}
In this case, I do get a meaningful error!
I replicated this easily. I would never get a meaningful error from the test instance, but the real one will always give me one.
I cannot keep trying out stuff in our productive JIRA, but I cannot easily continue working without getting meaningful errors. So, what could be wrong in the testing instance? I could not find any configuration about the 'verbosity' of the API responses.
I believe that this error is returned not by JIRA but rather by proxy web server that is part of you production configuration.
I suggest you to compare HTTP headers that are sent with working requests from your browser with headers you pass via curl. Googling for the "Your browser sent a request that this server could not understand" helps too